我的Andr​​oid应用程序包含的OAuth消费者的秘密Twitter的API。目前，它在的.properties 的纯文本文件，所以需要毫不费力有人看它在APK。

My Android app contains OAuth consumer secret for Twitter's API. At the moment it's in .properties file in plain text, so it takes zero effort for someone to look it up in APK.

我应该采取措施来掩盖它（比如，ROT13或储存在模糊处理的Java code）？或者我应该真正避免做任何这一点，因为这将产生错误的安全感？

Should I take steps to obscure it (like, rot13 or stored in obfuscated Java code)? Or should I actually avoid doing any of that, as it would create false sense of security?

怎样的人通常分发/存储OAuth的秘密在Android应用程序？ 如何常见的是用于秘密被窃取并滥用？

How do people usually distribute/store OAuth secret in Android apps? How common it is for the secret to be stolen and abused?

推荐答案

真正的问题是什么呢窃取它攻击者获得...

The real question is what does an attacker get from stealing it...

您应该尽最大努力保护秘密，但到了最后，一个充满活力的黑客总是能得到它在已安装的应用程序。因此，它的秘密与提取的难度值。

You should do your best to protect secrets but at the end, a highly motivated hacker can always get to it in an installed app. So it's the value of the secret vs. difficulty of extraction.

客户端秘密的价值正在模拟的应用程序。它不给任何访问用户数据。然而，由于微博支持自动发放凭据previously批准的应用程序（它们的登录与Twitter流），攻击者使用盲重定向有可能建立与你的秘密网络应用程序，并窃取用户数据。

The value of the client secret is impersonating the application. It doesn't give any access to user data. However, since Twitter supports automatic issuance of credentials to previously approved apps (their sign-in with Twitter flow), an attacker can potentially build a web app with your secret and steal user data using a blind redirect.

与Twitter的实现的问题是，他们没有要求开发商对应用程序的性质。如果他们这么做，他们就不会发出你开始与一个秘密，并会阻止任何人建立一个Web应用程序使用客户端凭据和谁已经批准了用户窃取数据。

The problem with Twitter's implementation is that they do not ask the developer about the nature of the application. If they did, they would not have issued you a secret to begin with, and would block anyone building a web application using your client credentials and stealing data from users who already approved it.

混淆是一种选择，而是一个很脆弱的。移动秘密作为一个API代理Web服务器是另一种，但只会把问题移到别的地方，因为现在你的应用程序有进行身份验证的代理服务器。但是，如果要求用户登录到您的网站这种模式可能是比较安全的（可同时使用，通过网络的观点，微博登录）。这样一来，有人试图滥用您的代理将需要他们的用户开立账户的服务，这是不是很吸引人。

Obfuscating is one option, but a weak one. Moving the secret to a web server acting as an API proxy is another, but that just moves the problem elsewhere because now your app has to authenticate against the proxy server. However, this pattern can be reasonably secure if you require users to log into your site (which can use, via web views, Twitter to log in). This way, someone trying to abuse your proxy will need their users to open accounts on your service, which isn't very appealing.

总之，继续前进，混淆了。它不会伤害。请考虑使用代理模式了。也许让Twitter的知道自己的安全策略并不大。

In short, go ahead and obfuscate it. It doesn't hurt. Consider using the proxy pattern too. And maybe let Twitter know their security policies are "not great".